Creating a Private Endpoint

• Console
• CLI
• API

• 1. Open the navigation menu , select Identity & Security, and then select Private Endpoints.
  2. In the Private Endpoints page, select Create private endpoints.
  3. In the Create Private Endpoint page, provide the following details:
     • Type. Displays the external key management private endpoint type as "External." This is the only endpoint type that OCI KMS supports.
     • Name. Enter a name for the external key management private endpoint.
     • Description. Provide a short description.
     • Virtual Cloud Network. Select a VCN from the drop-down list.
     • Subnet. The subnet value gets auto-populated based on the VCN that you select.
     • External Key Management IP address. Based on your TLS connectivity configuration, provide either the static IP address of the Thales CipherTrust Manager or the API Gateway Private IP address.
     • Port. Enter the external key management resource port number. For static IP address based TLS connectivity, provide the port number of Thales CipherTrust Manager server. For example, 443. For FQDN based TLS connectivity, leave the field blank.
     • CA Bundle. The external CA is a PEM-formatted certificate file. For more information about CA, see Certificate Authority.
       Note
       
       Based on your TLS connectivity configuration, use the CA bundle of Thales CTM or OCI API Gateway.
  4. Select Submit.

     Once you create a private endpoint for external key management, you can access the Private Endpoint Details page to see the endpoint in "ACTIVE" state. You can use the actions at the page top to rename, move resource, add tags or delete the endpoint.

• Open a command prompt and run ooci kms ekm ekms-private-endpoint create to create a new private endpoint:

  Command

  CopyTry It

  oci kms ekm ekms-private-endpoint create  --ca-bundle <bundle_type> --compartment-id <compartment_id>| -c <secret_name> --display-name <name> --xternal-key-manager-ip <ip address> --subnet-id,  <subnet_id> --defined-tags <tags> --freeform-tags<tags> 

  For example:

  
  --ca-bundle "-----BEGIN CERTIFICATE-----\nMIIFrjCCA5agAwIBAgIQAsMYA04ijAErxlDri 6cIa/\n-----END CERTIFICATE-----",
  --compartment-id "ocid1.compartment.region1..aaaaaaaaiexample6mjdbzlsxf576zgtlbi3",
  --display-name "Example EKMS PE",
  --external-key-manager-ip 1.2.3.4,
  --subnet-id "ocid1.subnet.region1.sea.aaaaaaexamplenpse5gupw56s5",
  --freeform-tags {"key": "value"},
  --port 6758
  

  Avoid entering confidential information.

  For a complete list of flags and variable options for Vault CLI commands, see Command Line Reference.

• Use the CreateEkmsPrivate Endpoint API to create private endpoint for connecting OCI External Key Management to an external key management system. Thales CipherTrust Manager is supported by OCI for External Key Management.

  Note
  
  Each region has a unique endpoint for create, update, and list operations for secrets. This endpoint is referred to as the control plane URL or secret management endpoint. Each region also has a unique endpoint for operations related to retrieving secret contents. This endpoint is known as the data plane URL or the secret retrieval endpoint. For regional endpoints, see the API Documentation.

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.